Andreas Pflug wrote:
> With ldaps on port 636 STARTTLS should NEVER be issued, so the
> protocol identifier ldaps should be sufficient as "do not issue
> STARTTLS" flag. IMHO the current pg_hba.conf implementation doesn't
> follow the usual nomenclatura; ldap with TLS is still ldap. Using
> ldaps as indicator for ldap with tls over port 389 is misleading for
> anyone familiar with ldap.
I agree. ldaps:: should mean plain SSL without StartTLS. ldap:: should
mean a plain text connection,
unless some additional configuration directive enables StartTLS.

There has been some discussion in the past about including (or not) this
configuration state in the url :

http://www.openldap.org/lists/openld.../msg00070.html



--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers